Archive for the ‘jihad’ Category
The Widening Gyre: Putin’s Asset Sets Multinational Norms On Fire and Begets Global Negative Actions
We are beginning to reap the whirlwind in the news cycle from the election of Trump and his breaking of norms that this country and the world have come to rely on. This is exactly what Putin wanted, a country in the midst of a political and social rift that takes our eye off the global ball and allows for negative actions to be carried out without sanction. We have seen Trump set the constitution on fire, the Judicial body of the United States, the Economic norms, and generally break up the balance of power in the world. This has allowed Putin to have greater freedom to act and in turn now others feel empowered. China, North Korea, Syria, and most recently Saudi Arabia have taken actions that would in normal times, possibly not been acted on were the nations not at odds generally due to America’s abdication of its role.
Let’s cover some of the things going on…
RUSSIA:
Putin is still working the levers of power and in so doing he is still making moves on Ukraine all the while leveraging the problems in Syria as well. His actions are two fold, first to annex Ukraine altogether if he can. If he can’t then he will continue to fight with disinformation and active measures campaigns until he has more control over the area even if he cannot all out annex them back into Russia proper. Meanwhile, in Syria, Putin is leveraging Erdrogan and the battle there with da’esh to gain a foothold in the region and have a friendly dictator he can someday use as a proxy against others in the world.
Meanwhile, Putin keeps having his enemies killed off in interesting ways. The list has been topped off as of yesterday with an oligarch who ran afoul of him being found in a park choked to death by a dog leash.
…. A dog leash….
Now that is a metaphor huh? Putin will continue on liquidating his problems with impunity because the norms have all been broken because of Trump. The U.N. NATO, all of the normative bodies have been rebuffed by Trump and weakened. All that is lacking now is an assassination of a Putin enemy on American soil for his win to be complete. Putin pulled a master stroke in helping Trump win. Even so, don’t believe for a second that Putin isn’t also waiting to not only use Trump more, but if Trump begins to fail him he will continue to perform flyovers in our air space like he has been with the BEAR FOXTROTS over Alaska and likely will become more aggressive. I have yet to hear anything about SSN activity but be assured they are there… Waiting.
CHINA:
China has upped it’s espionage games since Trump started his little trade war with them. Recent events have shown a rise in hacking and phishing campaigns that had slowed down since the Xi and Obama agreement. That’s over now though and with the trade war heating things up, and rankles the core ideal of China to be an economic superpower, we are going to see not only more hacking and phishing with a side of theft of IP but also now classical espionage tradecraft to carry out the same goals. All of this will only escalate against the US as we move forward and likely set more things on fire by Trumps economic disaster plan.
MEANWHILE…. China feels empowered too because of all the fractiousness in the world’s governing bodies and has made the ex INTERPOL chief disappear while in China. Gee, China is now feeling like they can just disappear the head of an international investigative body.
Nice.
As all of this is going on we also have coincidentally, the arrest of an MSS asset in Belgium for economic espionage against the US aerospace community. Hmmmm gee, what a coincidence that this happens as the INTERPOL chief is disappeared. As you can see, and perhaps make the connections yourselves, it may be that the MSS is reacting to the impending arrest and or extradition of their asset by grabbing another as a warning?
Hmmm….
Yes, expect more to come out of China with the worsening of the trade wars as well as the eroding of the worlds norms on illegality.
Thanks Putin and Trump!
Oh yeah, and I forgot to mention the whole South China sea thing too…
SAUDI ARABIA:
Next up, Saudi Arabia seems to have lured a Washington Post reporter to Saudi only to kill and perhaps dismember him in an embassy there. Saudi has never before been as bold and I directly point toward the breaking of all the norms and groups for this action too. It’s been pretty blatant and I suspect there will be no sanction over this. I mean, look, it’s Saudi right? OPEC, oil? Not to mention that Trump was basically setting himself up to be their stooge since the beginning. Nope, nothing will come of this and now the Saudi’s have killed an Saudi journalist working for an American news org.
I also want to mention the whole glossy magazine that was put out by Trump’s friend David Pecker back last summer. What was this all about? Well, it seems that that was a PR move to make the house of Saud more accessible to the US consumer? Put another way, the new crown prince wanted to look progressive and hip and with the help of Pecker they tried real hard. It’s just that this mark was missed with this publication. In fact it only made an already wary populace start asking questions as to why this happened and what kind of conspiracy was afoot. Expect more to come out of this Saudi reporters death and it will likely not be pretty. If they get away with this, and I think they will, then expect Saudi to pull some more stunts in the future as the crown prince get’s more bold.
TRUMP REPUBLICANS:
Finally, the TRUMP party, I really don’t consider them Republicans anymore, will continue to push the limits of the nations norms and laws until they are just removed from power. The events around the recent SCOTUS nomination and confirmation of Kavanaugh are a clear example of how the Trump party is abusing their control over the house and senate to get whatever they want over what the governed wants. The Kavanaugh thing is just the most naked misuse of their power though to date and I am sure more will be coming once Trump replaces Sessions with a minion under his control. This will set the trifecta into play; DOJ under his control, SCOTUS under his control, and Mueller with a new target painted on his back.
I fully expect that when this happens the Russia investigation will be liquidated and the Trump party will lock arms and say that this is not a constitutional crisis. Of course then the DOJ will agree and SCOTUS will concur. It will all disappear at least legally right? This is Trump’s greatest desire and it seems more and more likely that this can happen because of the Kavanaugh ascension. An alternate timeline to this would be that Trump allows the investigation to finish but then has Kavanaugh in his pocket to be the deciding vote on whether or not a sitting president can be indicted.
Either way, it seems that if Trump can replace Sessions with a partisan minion, we are all doomed.
Even more worrying is the upcoming mid term elections. If the Trump party continues to be in contol, expect to look fondly at the times of outrage over Trump’s mild bad actions because he will feel empowered to do even more bad things if he has total control.
Once again, thanks Putin.
We are at a tipping point here and not just with regard to climate change kids.
K.
SADAQAHCOINS: Darknet Jihad Funding
A few days ago the word got out that a new da’esh jihadi funding site had hit the darknet. Much of the reporting has been about the novelty around this idea which isn’t all that novel really. There was another site back in the day that was looking for bitcoin donations and was much more sketchy than this site is but who’s paying attention right? Anyway, this site is the next generation of jihobbyist funding by an unknown group of guys and it is novel in a couple of ways that in reading the other reports, was missed out on. In fact, one alleged expert just marked this site down as just another scam site when in fact, while it may in fact be a scam, it is much more nuanced than the usual fare you see in the darknet and thus, I judge it to be run by people who at least know the jihad well and understand the Hadiths.
The premise of the site is based on the Islamic notion of Sadaqah, which is misspelled for the jihobbyists on this site to make it catchy. Sadaqah, literally means charity or benevolence and is an apt name for this site because it is exactly that which they are seeking. It is an interesting area of Islam concerning your obligations for charity as well as public works and in this twist, the sadaqacoins crew is attempting, as others have, to manipulate the original intent of Sadaqah, for jihad and the furtherance of the war against the infidels. That this site is using trackable bitcoins and attempts to use a more opaque currency like Monero is novel only for the fact that this site is much more slick and put together than the others I have seen out there in the past. Honestly, much of the jihad has always been propped up on donations and the Hawala system since the beginning of the GWOT.
Of course this site not only wants to have the believers give them bitcoin for the jihad but they have funding programs for specific things like buying a sniper rifle or a truck that they can mount a gun on. Not much new here in the way of asking for donations like this inside the jihad. Now, what is new is that the site is open to “others” to suggest finding programs or “projects” as well so anyone could hit them up within different areas of the jihad to get this funding set up. This could be the big difference if this thing actually flies. Imagine more of the disparate cells asking for new projects and then setting up their own bitcoin wallets. This could mushroom a bit for the more savvy jihadi’s out there on the net looking to help but maybe not get blown up in the lands right?
In fact, the most interesting bit for me and for my old friend Onionscan, was the fact that these guys added an Eid celebration to the mix where you could donate for sacrifice. What this means is that you could help the jihadi’s celebrate Eid in country by funding their goat dinner. This is a bit that I think others missed in reporting this because of two reasons. First, these people who wrote about the site don’t understand the religion and the sociology, and two the site had been updated by the time I got to it with the Eid celebration. In fact, it was here that Onionscan puked out some interesting information about the mostly secure site. It seems that their Eid celebrations were in haste to be posted and they forgot to get rid of their EXIF data.
Oops.
Basically, the data that I managed to pull out of all these photos show that they are using a phone camera by Motorola and managed to not have their geolocation turned on. Of course this doesn’t mean they won’t mess up later and leave that kind of data in them for us to hoover up and use as coords for a hellfire visit. This all could be leveraged by the right players though to manipulate them to make a mistake in the future as well. I look forward to seeing where this all goes in the future. However as it stands now, their OPSEC is fair to medium. They did manage to give us a lot to work with though with all the email addresses to reach them on and their Telegram channels to infiltrate and get in their insides with.
Another point of interest for me on the OPSEC front was their choice of languages for the site. It seems that these jihadi’s like to speak German, Turkish, and English. These three languages are of note because the site has no area that is strictly in Arabi and that is an oddity. This implies that the group who set this up are English speakers, Turks, and Germans but not really well equipped to write and read Arabic and this kind of tracks with some of the intelligence that comes out of the da’esh circles over the last couple years. There has been an influx of foreign fighters to the jihad but really guys, no Arabi? Shame on you as good Muslims not at least being able to have a page in Arabi!
I guess maybe we can see if they add some Arabic later on…
14gymFijxkFzbxbacbP9ioGndsqHRuJJTc —0 coins
1Dft8kgCWiuqRBLqgTuH2ZhVeUAxC8KGGi—0 coins
1KHDmXfqHJM9XqDHvGfCN4KVhsuReHDfLc—0 coins
1LGHotsLQF1evDXkt7DBTwvZ48SY3idTBL—0 coins
12QufGGoEoNUZN6aobofCoj9giNzCeHFP4—0 coins
184FNLi5aXGcurjEmUs7kgc7cYJ5gauduB—0 coins
1HABpbonuhGUL1woiQELuoDFXBEV6ZLpyG—0 coins
1Br6MtEQLgikLAQSFsrZKWxX6UPYzkAQz9—0 coins
15zbyqsq3q5s5ea5uEQz8xFkEpsPYAW3CE—0 coins
1KHmpHw8p7VGjQpftj2axdqq5NE3JYGT6C—0 coins
1MFeZbNsfWqBVytLmUjYcZoV3RhxJpQ3Kn—0 coins
17mwSmM6NzZTzoAiP3PHLAkooF9jd1xDY8—0 coins
Meanwhile, back to the bitcoins. This site has 12 bitcoin wallets at the time of my assessment and NONE of them have any coin in there at all. Nothing, nada, niente. Of course the site is fairly new so I can see why it wouldn’t have any coin in there yet. In fact the site only popped up on my link search in the darknet on the 24th of August so there is that. (see below) So we need to give it time to see what else they do and if anyone actually donates. Once they do, well then we can track the coins and see who did what huh?
Well, this was an interesting diversion for a while but I am still kinda meh about the whole thing. I am gonna keep an eye on it and maybe visit those Telegram channels to see what other OPSEC FAIL’s they make. Until then, hey, it’s out there and it’s novel.
BOOGA BOOGA BOOGA JIHAD IN THE DARKNET BOOGA!
Derp.
K.
Fancy Bears, CyberCaliphates, and Reporters
Recently the AP put out a story that links the GRU (Fancy Bear/APT28, whatever you want to call them) to a spate of threats made to five military wives back in 2015 and alleged to have been carried out by Da’esh or the CyberCaliphate. Caliphate is/was/kinda was a loose group of hackers in the Muslim community who carried out a bunch of web defacement’s with slogans like “we love ISIS” etc. Now this isn’t very scary and the group finally got a titular leader in Junaid Hussain, a Brit who went to Jihad after being popped for hacking with an Anonymous group. These disaparate groups of skids are still out there today defacing pages and causing a nuisance but none of them ever rose to the level of being a clear and present danger hacking wise, but Juny, well, Juny became a mouthpiece for da’esh and his popularity got him whacked with a missile in Raqqa.
From AP News
The AP story though, is only tangentially about the CyberCaliphate in that the claims made by the AP are that the five wives who were threatened were in fact not threatened by Caliphate, but instead the GRU carrying out a “False Flag” to make it look like it was the skids. While Juny and whoever else he was working with did in fact dump some military data back in 2015, there were other hacks that went on that people think wasn’t him and the brothers at all but their sophistication means that they had help if not outright wasn’t them at all. The fact of the matter is that finding open source lists of military and other’s details is easy with Google Fu today and no hacking may have been needed for many of these dumps that the ISHD dropped. There were some righteous hacks though and I can easily go with the idea that the Russians and others perhaps had been leveraging these guys names to carry out their own attacks for their own ends,but, this threatening of five military people’s families is a bit of a stretch for me to say is definitively the GRU and not in fact the real ISHD or Caliphate hackers.
My biggest problem with this AP report is that there is little to no details on how they came to the conclusion they reported. In asking the reporter, Raphael Satter, on Twitter I only got sketchy replies on how he/they got this grand conclusion. Basically, his story is that he asked SecureWorks for their data (including personal information it seems of those who got hacked/attacked) and went through all of the phishing emails that were carried out by APT 28 using the bit.ly links to avoid Google filters. Out of all those 4k emails they then saw that the five families were recipients of the phishing emails that APT 28 carried out on the everyone in their large drift net attacks to gather intelligence. AP/Satter then went and rummaged in their closet for the JUMP TO CONCLUSIONS MAT and laid it out to finalize their cognitive bias. From this, and it seems bothering a bunch of military wives previously on the 4k emails that went out they came to the conclusion somehow, that the five were in fact attacked by the GRU because they got those phish. Satter and AP give no details or evidence on this and in my chat with Satter on Twitter he was too busy pub crawling to answer my questions fully on this.
While it is not inconceivable that these families may have been harassed by the GRU for some reason, it is also not a conclusive fact given what has been presented by the AP that they did in fact do this and it was not really the actual ISHD or CyberCaliphate or even just Juny himself. What really needs to happen though, is when a reporter and an agency makes an assertion, but provides little to no evidence of it, it kinda comes off as a grab for attention without truth to back it up, in effect, they did it for the clicks. Now if Satter and AP can provide more conclusive data then I will concede that they are in the right here, but so far they have not. I see no direct connections in the story to anything more than the fact that these ladies got messages on Facebook that were threatening and claimed to be from ISIS. When I asked if Satter had tried to pull the data together to see if these families all had members in FOB’s (Forward Operating Bases) he did not even know what that meant, so I enlightened him. My point being is that if those five members of families were in an area that the Russians wanted to effect some outcome at the time of the attacks, then maybe I could see my way to believing it, but if it was only five, and there is no evidence that they were in positions that the Russians would want to effect, then why do this at all? Why only five? Am I missing something? It all comes back to “Cui bono” or “Who benefits?”
Certainly the AP story is splashy and makes for clicks but I have these concerns as well as I now have to wonder about SecureWorks giving up this data with PERSONAL DATA ATTACHED to the AP. Say, isn’t giving personal data of military and government people to the AP a violation of law somehow? Even of the AP says they are protecting the data, this isn’t really kosher to me, but who am I huh? Maybe just someone with data out there huh? It also makes me wonder how SecureWorks is feeling about all this too. I mean, they had all this data and they did not report this. As Satter said to me; he and a team of people pulled all this together. Well, unless you provide your work it’s just another story and may be in fact incorrect. But back to SecureWorks, why did you guys give this data to the media? What were you thinking?
All in all I have had this story sticking in my craw for a while now and I had to get this out. I have worked on the Caliphate and ISHD tracking so I know the players and I know the game. I am certain that in some cases the attacks carried out were more sophisticated and coherent for them to be the actors involved but to make these wild leaps of logic like AP did and then publish them without supporting evidence is bad journalism. In a time when the media want’s to be above board because we have a liar in chief in office who is daily attacking our institutions like the Fifth Estate with disinformation, we need you reporters to do a better job than this. If Satter and AP can provide more than I will be happy. Until then, this story is just that and just adds to the cacophony of fake news and clickbait that I deplore.
K.
UPDATE: One last thought I thought I should add. There is a definite difference between actors here where it comes to ISHD and CyberCaliphate. Two different manners of attacks/hacks and ways of speaking. Look at the image above and look at the language as opposed to most of the defacements and posturing by the UCC. So if you want to say anyone GRU may have done this you would want to call them out as ISHD (Islamic State Hacking Division) as opposed to CyberCaliphate.
Just Sayin.
MuslimCrypt and Clickbait
MEMRI talked up a report on a new “steg” program being offered and “used” by da’esh that was then picked up on by Wired (or more to the point someone called from MEMRI offering a story because slow news day at Wired) touting the new scareware booga booga booga that jihadi’s are using STEGO ERMEGERD! Of course this type of encryption has been around all along and in fact, as Wired alludes to, it has even been used by UBL back in the day as well. The fact that there is stego out there is nothing new but this alleged program is, maybe. You see, the problems I have with this assessment and the Wired story sold to them is that there is no real penetration of this software being used as far as can be seen and in fact nowhere on the net can the actual software be found to download.
So yeah, it is not in every da’esh cyber toolbox kids and if anything, it may be an OP trying to pop some of them on Telegram.
Telegram Accounts:
The Telegram accounts involved in this drop also seem to lack some history as well. I looked them up on Telegram and there isn’t much to see at all. Of course it could be that one needs to engage with them to see more but I am not going to do that for this so suffice to say that Google searches of these accounts, the names in them, and iterations thereof come up with nothing useful. In essence what I am saying here is they have “no history” and thus to me should be looked at as cutout accounts to drop this software from and nothing more. This is an important piece of the puzzle too but it seems MEMRI is more interested in selling subscriptions and getting on Wired than they are at being thorough in investigating things like this.
MuslimCrypt.zip and .exe:
Meanwhile one cannot find the software at all nor the zip file anywhere on the net. Not one download link anywhere. No uploads to MEGA, nor any of the other places that you would think that these guys would want to put it so that the jihadi masses can securely talk right?
Nopesauce.
The staggering lack of the file only leads me to believe that it was a drop to entice people to download in-line on Telegram in hopes that the account (MuslimTec) would be a form of watering hole attack. We see this kind of thing all the time in the hacking world and many of those kinds of attacks are carried out by more sophisticated actors. In this case the only place that the file can be seen is on Hybrid Analysis and on VirusTotal and even there there are only one to two drops of the file for testing. In all of these cases the files are not available for download so only one source has uploaded them.
Interesting huh?
So what do we have here so far… One source (MEMRI) sharing a story with Wired about a software package no one really has except MEMRI? How odd is this? Well, kinda odd and to me smacks of two things;
- MEMRI got played
- This was an OP by a nation state actor looking to own some jihadi’s
I will go into these ideas in some more detail below. Just remember that it is odd that these files are not out there in the forums nor being saved and uploaded for more penetration of use.
Reversal of the binary:
I found that the zip file had been uploaded to Hybrid in January as well as March 4th 2018. The VT upload happened in February 2018 so this has been around and about a bit. Remember though, these are the only instances of the files that I could find, and I REALLY wanted to find a copy. So whoever had the files to upload (assuming it was MEMRI) are the only ones to do so. I looked at the whole sandbox report of the zip and the executable and came up with some interesting factoids for you all.
- The language set is German
- The language of some of the re-used code snippets are in German, so, I could go either way on this one. Could be a German who did the coding or just someone who knows some and worked on re-used code to make this program
- This was cobbled together by someone with some skills
- The software does have what seems to be a keystroke recorder built in but it has nothing really to do in sandbox because it is a sandbox and no actual keystrokes are made
- Whoever compiled this has a pc name or a folder name on their system of “SultanEasy” with “SultanEasy-2” which, ya know, kinda sounds all code wordy to me
I scoured the internet for “SultanEasy” and “SultanEasy-2” to no avail. Now with that in mind consider that this was a slip up on the part of the coder and that this folder in projects is a code name.
Ponder ponder ponder… A piece of software magically dropped on Telegram by accounts with no history and a binary that has a keystroke logger embedded in it?
Hmmmmmmmmm…..
Oh, by the way MEMRI, your reversal skills suck.
An Op?
Overall, this smells bad and MEMRI seems to have fallen for it or is unable to read a reversal report and strings well enough to see things in perspective.
Could this be an operation by a nation state? Sure.
Could it be another group like Anonymous or some other vigilante group? Sure.
Could it be a serious attempt at making steagnography the go to encryption for jihadi’s today? Yeah no.
Nice clickbait though.
Derp.
K.
UPDATE: I was sent this by <REDACTED> this is from a paste of conversation screenshots from the MuslimTec Telegram channel…
So yeah, there are many comments in there about spies and even at one point claims of being hacked by dissension…
Just sayin.
Amaq News Malware Attempt Using Old Malware
Amaq Hack:
Vice reported on the Amaq News Agency’s hack and dissemination of malware last week and the report really kind of fails to do much more than attempt to amplify the booga booga of the whole affair. I thought I would go hunt down the sample(s) of the malware and have a looksee for myself. Which is exactly what I did and located two samples of malware that are from other domains owned by the same players. What follows is a run down of those samples (I was unable to find the one mentioned in the story as of yet but did locate the VT assessment of it) and a fuller deconstruction of the domains involved.
As some of you may know, Amaq is just the news site for the dissemination of propaganda so this would be a good target for someone to go after, infect, and hopefully reap the rewards of anyone stupid enough to install the file that was being served out. Interestingly though the malware mentioned in the piece on the 30th is a flash update and the malware I located on the other attached domains is an .apk file that allegedly is for a flash update? In any event, my first impression from the Vice piece was that it was derptastic. You are going to use a 2013 rat that everyone see’s to pwn an alleged 600 click happy jihadi’s?
REALLY?
Right so as the Vice article says the malware was easily seen by a multitude of AV products so really, you are hitting the lowest common denominator here if they click on it and have no AV at all. Of course if you were aiming at phones that would be different but this was an executable binary so.. uhh.. Duh? Right, well the malware in the story was ostensibly just an update to Flash if what has been posted is in fact true. I went to the site listed in the shortlink and no joy on that, nothing there anymore.
Domains:
After checking the domain jiko.at from the url that was serving the malware last week I began tracking down the owner data. What came from that is that the email address of alibenmohaed216@gmail.com is a throw away account as far as I can tell with only three domains being registered with it. Once you look though, you can see that more domains actually had been created by the same actor using the name “dertou” as well. Those domains are ad13.de, amaqqq.xyz, baqiyy.at, and jkikkia.at.
Without going too far down the rabbit hole here I just wanted to point out that these addresses were all created on the 29th of March and deployed along with the other exploit it seems. One of the domains is still live and are serving out the malware:
Now this address would match up with the attempts at trying to get amaq users to go to a bad squatted address and this is where I got the malware I mentioned above (details below) The other domains are all interesting in that some have names that are close to such things as the Da’esh magazine “Baqiya” but others like ad13.de have nothing to do with all that and in fact ad13 is much much older a domain. Ad13 was originally created in around 2013 and was decomissioned around October 2016 with changes made to the domain in July 2016.
When I started looking up the list.ru address I hit a road block for now but I will keep poking at that because I feel that this person is one of the key players if not the key player here. Otherwise there is the usual obfuscation going on with the other addresses out there and as such I am just going to drop them for now. Instead, I will look at the malware and where that is making calls to after dumping the IOC’s on you all.
Here you go!
IOC’s:
Malware:
https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/OTllNDU5YjNkYzVlNDFhOWI1Yzc2YWY0ZWI3NWY0N2Q/ –> Malware
http://urlquery.net/report.php?id=1490856486148
https://virustotal.com/en/file/379cd2fed583c183fc1c5d1597421642f8e6b15af74ec58348e40ee80f227b25/analysis/1490880990/ —> Malware
https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/ZDgyOWFkYTIwNjdlNGJjOWE2MTMwYjQwYmJmNmRiN2M/
Domains:
https://virustotal.com/en/domain/saitamasinse.com/information/
https://www.threatcrowd.org/domain.php?domain=amqqq.xyz
https://virustotal.com/en/domain/saitamasinsefesa1forall.com/information/
https://virustotal.com/en/domain/saitamasinsefesa1formelol.com/information/
https://virustotal.com/en/domain/fgssaitamasinsefesabgformelol.com/information/
https://www.threatcrowd.org/domain.php?domain=saitamasinse.com
https://www.threatcrowd.org/domain.php?domain=ad13.de
https://www.threatcrowd.org/ip.php?ip=66.85.157.86
Malware:
The malware sample I got from the amaq xyz site was named FlashPlayer8x86_x64.exe and downloads as an .apk (Android) file by name obfuscation from the url. Once run it attempts to contact several domains and IP addresses for the second stage.
These addresses don’t actually have sites on them so they are just C2 and in the case of the original malware in the Vice piece there was a site with a gate.php address which may have been an IP collection point or a second stage malware install site. None of these though have the gate.php and the fact that this site is still working makes me think that perhaps this was to be the second wave of attacks had not Vice and other sources reported on the hack. Perhaps though because it is still live the hackers plan on another attempt at going back to the well no?
Overall the sites have been updated recently but have been around a while. The malware is easily detectable by AV, and the RAT is old so was this a real attempt at harvesting or was this some sort of pranksterism or PSYOP? Frankly I can see it both being semi-experienced hackers doing this or more astute actors using easily seen malware to perhaps scare users into not looking at the site anymore. That I could track it back so far to the list.ru user to me says that there may be more to this if I dig further but then I have to be that interested in who may be fucking with amaq.
The fact of the matter is Da’esh is losing ground and losing the interest of those who think they are a righteous Caliphate because they are losing ground. The attempts to garner more lone wolves and perpetuate the jihad with these guys has been too plagiaristic for me. Basically Da’esh stole AQAP’s model but carried it off with less style so once they lose Raqqa they will lose a great deal of cred online in my opinion. Perhaps then they will be less of a threat on the GWOT in that respect… Maybe not.
Anyway, yeah, these guys are soft targets and not the sharpest tools in the tool box so hacking them has never been a challenge. All these insecure PHP sites and their users are easy pickins really so this is a non story to me. It is more interesting to me who may be trying to fuck with them and to determine why exactly. Is this the IC trying to deter them or is this an OpISIS kind of thing?
I am still deciding…
K.
Ahmad Rahami’s Journal: The Sycophantic Nature of Failed Seekers
Ahmad Rahami, the new jihadi wannabe lone wolf du jour made a splash with his bombings of a dumpster and a trash bin on CNN and the other media outlets but let’s really take a closer look at Ahmed and his mindset with the release of his ersatz “journal of jihad” shall we? First off, I am tired of the media coverage and while this was serious, it just show’s you the level of recruit and planning that AQAP/AQ/da’esh have in the US presently and to wit, not very high. Frankly, looking at his journal pieces here I can only surmise that if Ahmad doesn’t have some sort of personality disorder it would greatly surprise me. On the other end of that spectrum, Ahmad clearly is a failed seeker acting out within the confines of his chicken shop malcontent diaspora in search of importance.
Ahmad opines the usual catch phrase diatribes seen in Inspire or Dabiq and on the web in general on the boards but seems to not really have a greater grasp of his own religion than most of the daeshbag recruits these days. Clearly he has been suckling at the tit of the jihadi propaganda machine and in fact had close contact with recruiters in Afghanistan and Pakistan where he spent a good deal of time in recent years on and off. These guys look for recruits who have weak wills and minds that can be easily swayed. Minds and hearts, ego’s in search of self importance that they lack presently but are told that they will be martyrs for the greater cause if they blow themselves or the far enemy up and it is bullshit.
All of the propaganda placed by these Khawarij are just a mental virus, neuro-linguistic programming, used to prey on the weak minded souls out there, those failed seekers in order to bring them in and turn them to the Khawarij will. For some time now the security services and governments of the world have been trying to see how they can combat these memetic viruses online and so far no one has been able to come up with a solid solution. Those wh0 are seeking will latch onto anything that they feel an attraction to and it has been since time immemorial. Cults, and religions both rely on this to build their base, belief is key and the means to that end is dogma.
In Ahmad’s diary we see this in action and we see the brain washing and self delusion that goes on here with the repetitive statements in this journal that he used to egg himself on to action. No doubt he wrote this out and continued to do so as he built the bombs. All of this, all the language is a means to an end to justify to himself his actions. Actions fed to him by the propaganda online, in person, and programmed into him and all the others who are willing to listen, to believe, and to act.
Weak minds.
Weak souls.
Pawns of the Khawarij.
I truly hope we can come up with a means to combat such memetic viruses but so far I see no hope of it. Prepare yourselves for the other weak minded jihobbyists out there to try and catch their own brass ring of importance. Just don’t let them enable fear to win and change the course of our governance to a fear based one… Well… One that is more so than it already is.
Dr. K.
Leaderless Jihad and Open Source Jihad: A Marriage Made In Hell.
In 2013 I wrote about leaderless jihad and the “Stand Alone Complex” Now we are seeing this type of leaderless, “inspired by” thought virus playing itself out on the national stage. Last nights attack using a lorrie was something that was presaged by two issues of Inspire Magazine back in 2010 and 2014. There isn’t much to it really to gather some weapons, steal a truck, and then plow it into a crowd but it has taken this long for the insidious idea to take root in the collective unconscious of the would be jihadi’s. The days of a more rigid and trained “jihad” are being eclipsed by would be unbalanced individuals seeking attention and reinforcement of their sick ideas through the media, the internet, and our collective inability to look away from a tragic scene on a glowing screen.
2014 Inspire
2010 Inspire 2 “Ultimate Mowing Machine”
Soft targets were always the preferred avenue of attack but now they are becoming seen as a top priority for security forces since the attacks in France and other places like Bangladesh. While Dahka on the face of it had a contingent of more trained individuals the attack last night is as simplistic as they come. This is what is really scaring the populace and the security services because now it seems that the authors and actors of these acts are in fact just one guy and not a cabal that they could perhaps track using pervasive surveillance. A cell of one is hard to track and certainly if they self radicalize by just downloading Inspire magazine and watching YouTube, well, what can one do? There are no easy answers here in the world of detection and prevention.
So here we have it, I have been pointing this out for a while and at first it was AQAP trying to inspire “OSJ” or Open Source Jihad. Now Dabiq and Da’esh are carrying it on and furthering it with the media zeitgeist that ensues with each attack. The net effect here is that these people are selfradicalizing with the help of the media’s obsession on covering ad nauseum these acts. The pervasive hand wringing and talking heads only serve to whet the appetite of the would be jihobbyist into action. Forget the Inspire magazines and the videos, just watch CNN and that is enough it seems. This all is very much like the plot line to “The Laughing Man” arc of Ghost In The Shell. An act carried out on the media instilled others to carry out like acts to be on the media and further the idea(l) as well as serve as a means to self fulfil the actors need for attention and satisfaction.
This is pure psychology at work and there are a host of reasons and syndromes that could likely be pointed at to rationalize it’s happening. The fact of the matter is that now we are seeing it play out rather bloodily on the streets of the world in furtherance of an idea and ideal set that lends itself to the like minded.. Or should I say mentally ill? Yes, I would say mentally ill. These actors are acting out and likely have some borderline tendencies to start with. These people feel outcast in their societies or out of place within the societies they are living in as a second generation citizen. It is a complex thing to nail down and I suggest that anyone who might want to delve into it further read “Leaderless Jihad” by Marc Sageman.
We need a more nuanced approach to the GWOT and I am afraid we won’t get that…
K.
Cyber Jihad Marketing: Yelling FIRE! In A Crowded Theater
Recently, a reporter that I know came to me asking if I would look at this ICIT-Brief-The-Anatomy-of-Cyber-Jihad1 and give input on it. They wanted to have my opinion because the firm that wrote it was seeking a reporter to flog it on their news site. I told the reporter after looking at the “analysis” this exact quote; “This report is the marketing equivalent of yelling fire in a crowded theater” Well, it seems that CNBC bought it though and my hand has been forced to write about this travesty. ( CNBC Report that forced my hand ) I told the reporter to back away slowly and to their credit they did. CNBC not so much. So here I am going to outline how this report is full of marketing and cognitive bias and wild assumptions. Oh, and that is if you can get past the hyperbolic language in the first graph…
I shit you not..
Cyber Caliphate & Junaid Hussain:
The report goes on a long time talking about Da’esh and their origins. While much of that data is right on the report starts to go off the rails once they begin talking about the “cyber” part of the picture. They start off by talking about Juny and his cybering, the defacements out there, and the propaganda war that is still ongoing by the likes of Da’esh, AQAP, Boko Haram, etc. Which is all fine, mostly accurate, but then they start to talk about “possible capabilities” after they just pretty much said “They aren’t that capable” Cognitive dissonance much there guys? The truth of the matter is that to date, the propaganda war is the biggest and most dangerous war here, not the so called cyber war that this “analysis” is pimping. I have been following this stuff since 2001 and Juny is the new Younis Tsouli really, both were/are moderately skilled in hacking but not much more than that. Both were much more a propaganda figures, and more dangerous in that capacity than any of their hacking skills. In fact, in the case of Younis, he got the heat and popped for that very reason, he was making a splash and attracting followers. Juny had that very same skill set and became much bigger a deal because he caught the zeitgeist for the jihobbyists out there with his mouth on Twitter. This is why he was killed with a hellfire, not because he hacked any big databases or got the real dope from some hack. In short, both were a danger because they had followers, and those followers were radicalising off of their jihadi bluster online and caches of propaganda from the main marketing teams of their respective terrorism groups. (AQ for Younis and Da’esh for Juny)
Of course the report would not be scary enough without the “Cyber Caliphate” an operation that Juny lamented was just him, no one else, before he got whacked on Telegram. That’s right kids, Juny was pimping something and making shit up. Once Juny got whacked you know what happened? Groups of guys like Team Fallaga took up the mantle and went on to deface pages like the dickens! “OOH SCARY DEFACEMENT BRO” While the report states this, and some of the other information I just mentioned, they then go on to analyse and say that these guys aren’t capable now but someday… SOMEDAY they could be. Oh really? You don’t say! Sure it is possible but it is not likely. Given that most APT activity takes money, time, and cohesion, the jihadi’s are all over the place and usually small disparate groups of skiddies, not solid hackers. So, the scare tactic of analysis is way off the mark in this report and this is why I told the reporter to step back slowly from their pitch. If this group had left it at that, it could happen but it is not likely I would have had some respect for them. Instead they chose the other scare the client into buying shit route. As for Cyber Caliphate and all their other silly acronyms, none have shown that they are a credible threat to much else than an insecure web page. No real data has been hacked and their “data drops” of enemies to kill have all come from open sources on the internet. Sure, is it problematic that they are doing this? Sure. Is it a clear and present danger of cyber capabilities that they could strike the grid next?
No.
Just stop.
Jihadi Helpdesk
PSSSST hey morons.. There is no Helpdesk
I need not say more right?
… But I will.
DO YOUR GOD DAMNED HOMEWORK AND QUITE THE FEAR MONGERING FOR MONEY!
CYBER JIHADI DARKNETS
Of course these guys could not miss an opportunity to scare and of course they had to use the scary “Dark Net” or “Deep Web” I have been on the dark net for a long time and I will tell you I have found a few sites but nothing there is that scary. In fact, to date, the sites either have been hacked soon after and taken down, or just sit unused. So really, the dark net is no threat here. Sure, the jihadi’s are using technology to obfuscate their chats now and trying to hide in the “deep web” of un-spidered content but the reality is most of this stuff is non operational. What the jihad today (Da’esh) wants mostly is to radicalize and activate those in the US like Omar Mateen without even really having contact with them.
So, the darknet… Not so much a terrorist haven kids. Sorry
https://krypt3ia.wordpress.com/2015/11/18/daesh-darknet-under-the-hood/
Overall Analysis of Scare Marketing and Cognitive Bias
This report is a travesty of a tissue of what if’s that really is just a pulp thriller wannabe disguised thinly as a marketing piece cum serious analysis of Jihad online.
Please believe none of it.
Dr. K.
Inspire 14: Assassination Operations and Dabiq 11: The War of Coalitions
Well it has been some time since I cared enough to actually look at the media being put out by Da’esh (Al-Hayat) never mind the ever present Inspire magazine put out by AQAP and Al-Malahem. Things however have reached a point where I am going to speak up again on what is going on with the GWOT as it is called. Yesterday there was a report put out about fifty intelligence analysts who officially complained about their analysis products being cherry picked or edited to suit the administrations needs and this in tandem with the drops of both magazines at nearly the same time had my interest piqued. It feels like once again history is repeating itself with intel being managed or changed to suit the needs of the politicians who are the consumers of that intel. Does anyone really remember the run up to the Iraq invasion and the machinations of the WHIG at all today? I guess in the vast sea of what is claimed to be journalism, the truth of matters is often lost but if you pay attention sometimes you can get some clarity.
The biggest part of the revelations by the intelligence community analysts is that they say we are losing ground with Da’esh in reality, not as the administration would like us all to think. Personally for me I have been of the opinion that drone strikes and a propaganda war has done absolutely nothing for the greater good and that we are in fact stagnant in ideas or means to stop the Middle East from becoming a sectarian bastion. The “Land War in Asia” thing aside, we have no real good plan for helping the moderates because we keep propping up the despots as bulwarks or as necessary evils in the game of Middle East Go. Since I am not a politician, nor am I anyone with any real pull I am stuck here just watching the conflagration while the rest of the world accepts media word-smithing ‘refugee’ to ‘migrant’ with bile rising in my throat.
Anyway….
Back to the magazines and their coincidental dropping at the same time on the same day. In looking at them they are both quite different in tone and direction. While the Inspire is the usual ideologue format it has some scary content in that it is giving directed ideas to the would be jihobbyists with their OSJ (Open Source Jihad) sections ranging from how to make a hand grenade to a call for the ‘Lone Wolf Caravan’ to carry out assassination operations. This call for the assassination ops has been one of the more focused notional magazines that I have seen out of AQAP and as such, with the successful attacks in recent past by lone wolves or small groups of actors without direct training by AQ/AQAP/Da’esh is concerning. Given the media savvy approach of the magazine with Inspire and then the alternative wind up of slick media on youtube by Da’esh, I have to think the synergy would create some new converts. Honestly folks, watching all this play out is much like watching the evolution of Batman and Joker.
Inspire 14
Here are some highlights from the Inspire 14 issue:
Notice that the hybrid of separate groups of lone wolves and trained operational assets is being espoused (ala Hebdo)
Using our own data in the media against us it seems. TSA is really just a street theater version of security anyway.
Target choice here is interesting. Going after the intelligentsia? Are they less likely to be carrying?
As you can see they are lining this all up for the jihobbyist.. Go pick someone out, find out everything about them with OSINT, and then choose your attack.
Yet another IED but this time they want to have hand grenades much like the attack in Mumbai. The plans are simple and effective. One only hopes that some of these guys make a mistake and lose a limb in process
They go on to offer targets like these you see here. Larry Ellison? Really? What did Oracle do to Islam? Bill Gates? What you are anti vaxers too?
Dabiq 11
Dabiq though, is another story altogether. It seems that the boys at Al Hayat are very very wordy. In their mag we have much more pedantic text concerning the millenarian ideal that Da’esh is purported to have. Though really only one section of the magazine has a direct line to that ideology at all. The rest is text, lots and lots of it, that may as well just be great swaths of the Qu’ran for all I care. I guess overall though I have to equate the Dabiq to everything I have seen out of Ayman Zawahiri on the depth and breadth of pedantic arguments. Ayman and others like to spout all kinds of erudite scripture while the AQAP guys are ‘BLOW SOME SHIT UP!” which is odd given the nature of the media campaign we see on Twitter and YouTube by Da’esh. There is some disconnect here in the Dabiq magazine with all the text but they do try to intersperse some blood and guts type of things as well to keep the reader interested.
Frankly, I think Da’esh are still trying to figure out the magazine business…
Highlights from Dabiq 11
Interspersed pages with vid caps leading you to YouTube and their usual outlets. Note the cognitive dissonance of beheadings and happy Eid!
Millennial? You want Millennial? Here you go. That’s about it really. The Mahdi.. Wooooo.
Obviously they think that blowing up ruins is the shizzle. Yeah yeah, it’s all about the rhetoric (which goes on and on in the text) about fighting the kuffir and Rome.
OH LOOK MORE VIDEOS!
This stuff here… Well they always have to make their money it seems. Fuckers.
Lastly, they have a section of “in the enemy’s own words” which is media coverage. In this case they picked up on a piece by Mike Scheuer which I will talk about below.
ASSESSMENT:
In an ideological war such as we are seeing played out by vying Islamist parties like Da’esh and AQAP the clear winner in trying to evince a more stable and likely successful attack by a jihobbyist would be what you see in Inspire. This has been the modus operandi of AQAP for some time anyway so there is nothing new. Meanwhile if you watch the news and look at the article written by Mike Scheuer Da’esh has been not only making noise online but also able to take key areas of the region physically. There is a propaganda war being played out but how much of that is really germane to the GWOT as a whole? With the death of Junaid Hussein for being a propaganda mouthpiece for Da’esh and the fallout since calling into question the extra-judicial nature of the killing one can see how much more prescient in the news cycle the propaganda war seems to be while the actual physical boots on the ground war is seemingly absent.
So yes, these two magazines show the varying ideals of how they want to prosecute the jihad. Da’esh seems to be very focused on the grounds for their beliefs to bolster their claim of a Caliphate while AQAP is actually prosecuting the war against the West hoping that players in the West will act. Given the nature of Inspire I can see this happening much more possibly than anyone sitting down for a good read of Dabiq. Frankly Dabiq is much like it’s cleric, shadowy, full of rhetoric, and in the end likely to be empty of any real Muslim ardour for religions sake. Either Abu Bakr is an Islamist Jim Jones cum Joker or he is a wannabe Ernst Stavro Blofeld in my mind.
My primary concern now is that Inspire has laid out some new ideas that the jihobbyists will take up and use. These are not super secret methods but things that with the advent of the internet are even easier to carry off (i.e. OSINT, planning, connecting etc) to carry off an assassination. It is also more a matter of action than it is discourse or belief in the Qur’an the way that the AQAP guys present the material. Sure the underpinnings are all about being a good Muslim and ridding the ummah of the West’s boot on their collective throat (perceived) but they are second to the slick pictures and notions of being a James Bond figure.
Finally, when Da’esh reaches the same point with their magazine I will worry more that a flotilla of fanboys will latch onto their crazy with much more information and perhaps pull off an assassination. Until then, I will just watch the propaganda war play out as we really do not much of anything in the field to really root out the problem in the first place. The games must end and this tit for tat drone war is not going to do it for us.
ANCILLARY DATA:
As an interesting aside to the more technical out there. When getting the new issues of the magazines it came to light that someone has been playing with the supply chain again. The August 31 drop of the alleged Dabiq 11 issue not only on archive.org but also on a slew of shortened addresses (t.co) were actually malware.
In this case the malware seems to have been a keylogger. I have seen other files come out the same way and one has to wonder if it is the IC or if it the guys playing the home game. In any case, when you download these things be sure you run them through some tests. That is unless you don’t care about being pwn3d by a nation state.
Cheers,
K.
The Nuclear Bomb of the Mujahideen
Nuclear Bomb of the Mujahideen:
AS IF the jihadi’s were listening to some people in the media they responded to a dearth of their particular brand of crazy in the darknets by adding a new site Monday. The Nuclear Bomb of the Mujahideen is a single page on the onions with six download links for documents on how nuclear weapons work, how to make one, and how to calculate the effectiveness of materials and fallout. Yes indeed, the darknet is now indeed scary because the AQ centric author of this single page has uploaded old data from 2006 that was circulating the clearnet on the jihadi boards back then.
WOOOO
So below I have some screen shots of the documents including the excel files that they left for calc’s to be made by some hapless jihobbyist who might try to make this happen. Frankly since there is nothing new here this is kind of a non story story BUT I wanted to get this on the blog before the MASS MEDIA SCARE engine sparked up and suddenly FOX is talking about the end of the world because DARKNET! This is not the end kids and in fact I think it much more likely that a dirty bomb would be used before some nuke was created by some group of jihadi’s or Da’eshbags.
Here are the details of the site:
- Created Monday 6/22/15
- Single page
- 6 downloads
- Email address of the creator is: sjpchm8723@mail2tor.com
- Old data
- Excell and PDF’s uploaded are malware free (at this time)
- Excel files do have macro’s though so there is that.. VT came up clean but MALWR.com failed me today (500 error)
- Data is taken from government and science files on clearnet
- Files created on system with Latin as base language not Arabi
- Yes.. the feds now know about the site.
So take a gander at the images below then meet me at the metadata section!
2006 manual
Put that DIY nuke on a truck!
Implosion calculator for the package (Nuclear material fission)
Fallout calculator
OLD (FATMAN)
OLD IMPLOSION
METADATA:
What is more interesting from a DFIR kind of perspective is all the metadata that was left by the guy who put this site up and loaded those files. It could be all old data and I will have to go through my files to locate these pdf’s from 2006 to compare but let’s take a look shall we?
Dude’s a Winderz user
You can see where the 2006 files came from there…
Using MS office and PDF machine!
Winderz 7!
PDF details
MOAR PDF details
Excel
MOAR Excel
So what do we have here? Well, the creator not creating anything new. In fact the documents all come from the 2006 range (pdf’s) or 2014 in the case of the Excel files. So someone just downloaded these and then uploaded them to this site on Monday. Now, what I will say though is that they have enough comprehension of nuclear tech to include the excel files on the radiation fallout and calc’s for implosion but really, not much more than that. For all intents and purposes this could be a troll from someone who just Googled a bit and came up with a zip file to add to this site.
On the other hand, could this bee a phish of sorts? Why the email address? Feds? Or is this a real believer who wants to have the tech in the darknet and wants to have a discussion via mail2tor? I have to wonder about this and I may in fact email them to see what I get back. Since the files seem to be malware free (at this moment) I am going to say this is 50/50 a troll or a true believer. Though, the coincidence that a report on how there is a lack of terrorism (jihadi) in the darknet and suddenly this site appears, well, trollhard my friends.
Ok back to the media.. DON’T FREAK OUT!!! This is nothing. You have more to fear from your IP enabled toaster exploding like on CSI Cyber then you do of some numbnut finding fissile material on a darknet market and using these guides to make a bomb. Believe me.
K.
Krypt3ia 